Circuito_OpenLDAP

CIRCUITO OPENLDAP

www.thesource.com.br

Marcio Garcia [email protected]@thesource.com.br

The Source Consultoria, Desenvolvimento e CapacitaçãoRua Afonso Celso, 457 – Vila Mariana – São Paulo

PABX: 2171-43001 de 23

mailto:[email protected]


ÍndiceOpenLDAP............................................................................................................3Instalação.............................................................................................................3Configuração........................................................................................................4Inicialização..........................................................................................................5Alteração de senhas..............................................................................................6Criação das entradas para importação na base LDAP............................................7Importação das entradas na base LDAP.................................................................8Consultas na base LDAP – RFC 2254...................................................................11Modificando as entradas na base LDAP...............................................................13Deletando as entradas na base LDAP..................................................................14Backup / Restore da base LDAP..........................................................................15Índices de pesquisa............................................................................................16ACL's – Access Control Lists................................................................................16TLS / SSL - Criptografia......................................................................................18


PABX: 2171-43002 de 23

OpenLDAP

• Pré-requisitos:

OpenSSL – Última versão estável: openssl-0.9.7j.tar.gz / openssl-0.9.8b.tar.gz

http://www.openssl.org

BerkeleyDB – Última versão estável: db-4.5.20.tar.gz

http://www.sleepycat.com

Cyrus-SASL – Última versão estável: cyrus-sasl-2.1.22.tar.gz

http://asg.web.cmu.edu/cyrus/

OpenLDAP – Última versão estável: openldap-stable-20070110.tar.gz

http://www.openldap.org

Instalação

• OpenSSL

# wget -c http://www.openssl.org/source/openssl-0.9.7j.tar.gz# wget -c http://www.openssl.org/source/openssl-0.9.8b.tar.gz

# tar xzvf openssl-0.9.xx.tar.gz# cd openssl-0.9.xx# ./config shared --openssldir=/usr/local# make# make install

• BerkeleyDB

# wget -c http://downloads.sleepycat.com/db-4.5.20.tar.gz

# tar xzvf db-4.5.20.tar.gz# cd db-4.5.20/build_unix# ../dist/configure --prefix=/usr/local# make# make install# ldconfig


PABX: 2171-43003 de 23

http://www.openssl.org/

http://www.openssl.org/source/openssl-0.9.7j.tar.gz



http://www.openldap.org/

http://asg.web.cmu.edu/cyrus/

http://www.sleepycat.com/

Obs.: No Slackware o diretório “/usr/local/lib” já existe no arquivo “/etc/ld.so.conf”.

• Cyrus-SASL

# wget -c ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.22.tar.gz

# tar xzvf cyrus-sasl-2.1.22.tar.gz# cd cyrus-sasl-2.1.22# ./configure# make# make install# cd /usr/lib# mv sasl2 sasl2.original# ln -s /usr/local/lib/sasl2

• OpenLDAP

# wget -c ftp://ftp.openldap.org/pub/OpenLDAP/openldap-stable/openldap-stable-20070110.tgz

# tar xzvf openldap-stable-20070110.tgz# cd openldap-2.3.32# ./configure --with-tls# make depend# make# make install

Configuração

• OpenLDAP

# cd /usr/local/etc/openldap

# vi slapd.conf

# Opcoes Globais

include /usr/local/etc/openldap/schema/core.schemainclude /usr/local/etc/openldap/schema/cosine.schemainclude /usr/local/etc/openldap/schema/nis.schemainclude /usr/local/etc/openldap/schema/inetorgperson.schema

pidfile /usr/local/var/run/slapd.pidargsfile /usr/local/var/run/slapd.args


PABX: 2171-43004 de 23





allow bind_v2loglevel 256

# TLS / SSL

# Opcoes do banco de dados

database bdbsuffix "c=BR"rootdn "cn=Master,c=BR"rootpw {SSHA}+7vJt6RStpyegSCslgAaym6P8AhacpF3directory /usr/local/var/openldap-data

# ACL's

# Indices de pesquisa

index objectClass eq

• loglevel – Níveis de log

1 (0x1 trace) trace function calls2 (0x2 packet) debug packet handling4 (0x4 args) heavy trace debugging (function args)8 (0x8 conns) connection management6 (0x10 BER) print out packets sent and received32 (0x20 filter) search filter processing64 (0x40 config) configuration file processing128 (0x80 ACL) access control list processing256 (0x100 stats) stats log connections/operations/results512 (0x200 stats2) stats log entries sent1024 (0x400 shell) print communication with shell backends2048 (0x800 parse) entry parsing4096 (0x1000 cache) caching (unused)8192 (0x2000 index) data indexing (unused)16384 (0x4000 sync) LDAPSync replication32768 (0x8000 none) only messages that get logged whatever log level is set

Inicialização

• Iniciando o OpenLDAP no modo normal

# /usr/local/libexec/slapd

# ps wax | grep slapd

5140 ? Ssl 0:00 /usr/local/libexec/slapd


PABX: 2171-43005 de 23

# netstat -at | grep LISTEN

tcp 0 0 *:ldap *:* LISTEN

# netstat -nat | grep LISTEN

tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN

• Iniciando o OpenLDAP no modo debug

# /usr/local/libexec/slapd -d2

• Parando o OpenLDAP

# killall -INT slapd

Alteração de senhas

• Algoritmos disponíveis

{CRYPT}{MD5}{SMD5}{SHA}{SSHA}

• Com exibição de prompt para alteração de senhas

# slappasswd -h {SSHA}

New password: ******Re-enter new password: ******

{SSHA}W+KMvIvrVZewWB2vyptuw8HCJY0vFmoR

• Sem exibição de prompt para alteração de senhas

# slappasswd -h {SSHA} -s 123456

{SSHA}mN2aztkb3/h6RgMNq3YmZL2R3SDxvU3e


PABX: 2171-43006 de 23

Criação das entradas para importação na base LDAP

• Country BR: “c=BR”

# vi br.ldif

dn: c=BRobjectClass: countryc: BR

• Organização TheSource: “o=TheSource”

# vi thesource.ldif

dn: o=TheSource, c=BRobjectClass: organizationo: TheSource

• Departamento TI: “ou=TI”

# vi ti.ldif

dn: ou=TI, o=TheSource, c=BRobjectClass: organizationalUnitou: TI

• Departamento RH: “ou=RH”

# vi rh.ldif

dn: ou=RH, o=TheSource, c=BRobjectClass: organizationalUnitou: RH

• Usuário mgarcia: “uid=mgarcia”

# vi mgarcia.ldif

dn: uid=mgarcia, ou=TI, o=TheSource, c=BRobjectClass: inetOrgPersonuid: mgarciacn: Marcio Garciamail: [email protected]: GarciauserPassword: {SSHA}sOEFhMFdlam1lMm5rdmp3WVBMTVVSY0hzTWs=


PABX: 2171-43007 de 23


• Usuário ralf: “uid=ralf”

# vi ralf.ldif

dn: uid=ralf, ou=TI, o=TheSource, c=BRobjectClass: inetOrgPersonuid: ralfcn: Ralf Bragamail: [email protected]: BragauserPassword: {SSHA}sOEFhMFdlam1lMm5rdmp3WVBMTVVSY0hzTWs=

• Usuário recursoshumanos: “uid=recursoshumanos”

# vi recursoshumanos.ldif

dn: uid=recursoshumanos, ou=RH, o=TheSource, c=BRobjectClass: inetOrgPersonuid: recursoshumanoscn: Recursos Humanos The Sourcemail: [email protected]: Recursos HumanosuserPassword: {SSHA}sOEFhMFdlam1lMm5rdmp3WVBMTVVSY0hzTWs=

Importação das entradas na base LDAP

• Entrada: br.ldif

# ldapadd -x -W -v -D 'cn=Master,c=BR' -f br.ldif

ldap_initialize( <DEFAULT> )Enter LDAP Password: ******

add objectClass: countryadd c: BRadding new entry "c=BR"

modify complete

• Entrada: thesource.ldif

# ldapadd -x -W -v -D 'cn=Master,c=BR' -f thesource.ldif



PABX: 2171-43008 de 23



add objectClass: organizationadd o: TheSourceadding new entry "o=TheSource, c=BR"

modify complete

• Entrada: ti.ldif

# ldapadd -x -W -v -D 'cn=Master,c=BR' -f ti.ldif


add objectClass: organizationalUnitadd ou: TIadding new entry "ou=TI, o=TheSource, c=BR"

modify complete

• Entrada: rh.ldif

# ldapadd -x -W -v -D 'cn=Master,c=BR' -f rh.ldif


add objectClass: organizationalUnitadd ou: RHadding new entry "ou=RH, o=TheSource, c=BR"

modify complete

• Entrada: mgarcia.ldif

# ldapadd -x -W -v -D 'cn=Master,c=BR' -f mgarcia.ldif


add objectClass: inetOrgPersonadd uid:


PABX: 2171-43009 de 23

mgarciaadd cn: Marcio Garciaadd mail: [email protected] sn: Garciaadd userPassword: {SSHA}sOEFhMFdlam1lMm5rdmp3WVBMTVVSY0hzTWs=adding new entry "uid=mgarcia, ou=TI, o=TheSource, c=BR"

modify complete

• Entrada: ralf.ldif

# ldapadd -x -W -v -D 'cn=Master,c=BR' -f ralf.ldif


add objectClass: inetOrgPersonadd uid: ralfadd cn: Ralf Bragaadd mail: [email protected] sn: Bragaadd userPassword: {SSHA}sOEFhMFdlam1lMm5rdmp3WVBMTVVSY0hzTWs=adding new entry "uid=ralf, ou=TI, o=TheSource, c=BR"

modify complete

• Entrada: recursoshumanos.ldif

# ldapadd -x -W -v -D 'cn=Master,c=BR' -f recursoshumanos.ldif


add objectClass: inetOrgPersonadd uid: recursoshumanosadd cn: Recursos Humanos The Sourceadd mail:


PABX: 2171-430010 de 23

[email protected] sn: Recursos Humanosadd userPassword: {SSHA}sOEFhMFdlam1lMm5rdmp3WVBMTVVSY0hzTWs=adding new entry "uid=recursoshumanos, ou=RH, o=TheSource, c=BR"

modify complete

• Opções do “ldapadd”

-x Utiliza autenticação simples ao invés de SASL-W Autenticação através de prompt-w Autenticação através de linha de comando-v Verbose, utilizado para printar o status do ldapadd-D Especifica o usuário que ira fazer um bind na base-f Especifica o arquivo que será importado

Consultas na base LDAP – RFC 2254

• Consultando a base LDAP

# ldapsearch -x -b c=BR

• Consultando a base LDAP, sem comentários e descrições

# ldapsearch -x -b c=BR -LLL

• Consultando a base LDAP, filtrando pelo usuário “mgarcia”

# ldapsearch -x -b c=BR '(uid=mgarcia)'# ldapsearch -x -b c=BR -u uid=mgarcia

• Consultando a base LDAP, filtrando pelo nome “Ralf Braga”

# ldapsearch -x -b c=BR '(cn=Ralf Braga)'# ldapsearch -x -b c=BR -u 'cn=Ralf Braga'

• Consultando a base LDAP, filtrando pelo nome “Marcio Garcia” e/ou “Ralf Braga”

# ldapsearch -x -b c=BR -LLL '(&(|(cn=Marcio Garcia)(cn=Ralf Braga)) (objectClass=inetOrgPerson))'


PABX: 2171-430011 de 23

# ldapsearch -x -b c=BR -LLL '(&(|(cn=Marcio Garcia)(cn=Ralf Braga)))'

• Consultando a base LDAP, com exceção do nome “Marcio Garcia”

# ldapsearch -x -b c=BR -LLL '(!(cn=Marcio Garcia)) (objectClass=inetOrgPerson)'# ldapsearch -x -b c=BR -LLL '(!(cn=Marcio Garcia))'

• Consultando a base LDAP, com exceção do nome “Marcio Garcia”, filtrando o resultado pelo atributo “mail”

# ldapsearch -x -b c=BR -LLL '(!(cn=Marcio Garcia))' mail

• Operadores boleanos que podem ser utilizados na pesquisa

& and| or! not

• Filtros de pesquisa

= igual=~ direfente>= maior ou igual<= menor ou igual

• Exibe os atributos com todos os detalhes, inclusive os invisíveis

# ldapsearch -x -b c=BR +

• Exibe todos os objectClass por “OID”

# ldapsearch -x -b "" -s base "(objectClass=*)" +

• Consulta todos os esquemas disponíveis no servidor LDAP

# ldapsearch -x -W -D cn=Master,c=BR -s base -b "cn=SubSchema" "(objectClass=*)" +

Obs.: É a mesma coisa que dar um cat nos esquemas do diretório: /usr/local/etc/openldap/schema

O comando acima exibe alguns parâmetros adicionais.


PABX: 2171-430012 de 23

Modificando as entradas na base LDAP

• Consultando o nome “Marcio Garcia”

# ldapsearch -x -b c=BR -LLL '(cn=Marcio Garcia)'

dn: uid=mgarcia,ou=TI,o=TheSource,c=BRobjectClass: inetOrgPersonuid: mgarciacn: Marcio Garciamail: [email protected]: GarciauserPassword: {SSHA}sOEFhMFdlam1lMm5rdmp3WVBMTVVSY0hzTWs=

• Modificando o sobrenome do usuário “Marcio Garcia” de “Garcia” para“Garcia Marcenari” e adicionando o atributo: “mobile: 9999-9999”

# vi mgarcia.ldif

dn: uid=mgarcia,ou=TI,o=TheSource,c=BRobjectClass: inetOrgPersonuid: mgarciacn: Marcio Garciamail: [email protected]: Garcia MarcenariuserPassword: {SSHA}sOEFhMFdlam1lMm5rdmp3WVBMTVVSY0hzTWs=mobile: 9999-9999

# ldapmodify -x -W -v -D 'cn=Master,c=BR' -f mgarcia.ldif


replace objectClass: inetOrgPersonreplace uid: mgarciareplace cn: Marcio Garciareplace mail: [email protected] sn: Garcia Marcenarireplace userPassword: {SSHA}sOEFhMFdlam1lMm5rdmp3WVBMTVVSY0hzTWs=replace mobile: 9999-9999modifying entry "uid=mgarcia, ou=TI, o=TheSource, c=BR"


PABX: 2171-430013 de 23

modify complete

• Após a modificação

# ldapsearch -x -b c=BR -LLL '(cn=Marcio Garcia)'

userPassword: {SSHA}sOEFhMFdlam1lMm5rdmp3WVBMTVVSY0hzTWs=

dn: uid=mgarcia,ou=TI,o=TheSource,c=BRobjectClass: inetOrgPersonuid: mgarciacn: Marcio Garciamail: [email protected]: Garcia MarcenariuserPassword: {SSHA}sOEFhMFdlam1lMm5rdmp3WVBMTVVSY0hzTWs=mobile: 9999-9999

Deletando as entradas na base LDAP

• Consultando o usuário “recursoshumanos”

# ldapsearch -x -b c=BR -LLL '(uid=recursoshumanos)'

dn: uid=recursoshumanos,ou=RH,o=TheSource,c=BRobjectClass: inetOrgPersonuid: recursoshumanoscn: Recursos Humanos The Sourcemail: [email protected]: Recursos HumanosuserPassword: {SSHA}sOEFhMFdlam1lMm5rdmp3WVBMTVVSY0hzTWs=

• Deletando o usuário “recursoshumanos” da base LDAP

# ldapdelete -x -W -v -D 'cn=Master,c=BR' uid=recursoshumanos,ou=RH,o=TheSource,c=BR


deleting entry "uid=recursoshumanos,ou=RH,o=TheSource,c=BR"

Obs.: A opção “-r” deleta uma entrada recursivamente.


PABX: 2171-430014 de 23

Backup / Restore da base LDAP

• Backup off-line

# slapcat > /root/bkp_base_ldap_slapcat.ldif

• Restore off-line

# slapadd -v -l /root/bkp_base_ldap_slapcat.ldif

• Backup on-line

# ldapsearch -x -b c=BR -LLL -W -v -D 'cn=Master,c=BR' > /root/bkp_online.ldif


filter: (objectclass=*)requesting: All userApplication attributes

• Restore on-line – Apague toda a base LDAP antes de fazer um restore

# killall -9 slapd# cd /usr/local/var/openlda-data# rm -rf *# cd /root# /usr/local/libexec/slapd

# ldapadd -x -W -v -D 'cn=Master,c=BR' -f /root/bkp_online.ldif


add objectClass: countryadd c: BRadding new entry "c=BR"............add sn: Bragaadd userPassword: {SSHA}sOEFhMFdlam1lMm5rdmp3WVBMTVVSY0hzTWs=adding new entry "uid=ralf,ou=TI,o=TheSource,c=BR"


PABX: 2171-430015 de 23

modify complete

Índices de pesquisa

• Os índices ficam localizados no final do arquivo de configuração do servidor LDAP

# vi /usr/local/etc/openldap/slapd.conf

# Indices de pesquisa

index objectClass eqindex mail,cn,sn pres,eq,subindex uid eq,sub

• Opções

eq Indexa baseado no que está definido no atributoaprox Indexa a informação por uma aproximaçãopres Indexa se tem ou não determinado atributo em tal parte da basesub Indexa partes de atributos declarados

• Criando as tabelas de índices

# ls /usr/local/var/openldap-data# rm /usr/local/var/openldap-data/alock# slapindex -v# ls /usr/local/var/openldap-data

ACL's – Access Control Lists

• As ACL's ficam localizadas após as configurações do banco de dados do arquivo de configuração do servidor LDAP


# ACL's

• Consultando o usuário “mgarcia” sem a utilização de ACL's


PABX: 2171-430016 de 23

# ldapsearch -x -b c=BR -LLL '(uid=mgarcia)'

dn: uid=mgarcia,ou=TI,o=TheSource,c=BRobjectClass: inetOrgPersonuid: mgarciacn: Marcio Garciamail: [email protected]: Garcia MarcenariuserPassword:: e1NTSEF9c09FRmhtNXJkbXAzV1ZCTVRWVlNZMGh6VFdzPQ==mobile: 7724-8637

Obs.: A atributo “userPassword” pode ser visualizado por qualquer um.

• Restringindo consultas ao atributos “mail” e “userPassword”através deACL's, porém o atributo “userPassword” pode ser alterado pelo usuário que fizer um bind na base LDAP


# ACL's

access to attrs=mail by dn="cn=Master,c=BR" write by * auth

access to attrs=userPassword by self write by dn="cn=Master,c=BR" write by * auth

access to * by dn="cn=Master,c=BR" write by * read

# killall -9 slapd# /usr/local/libexec/slapd

• Consultando o usuário “mgarcia” com a utilização de ACL's

# ldapsearch -x -b c=BR -LLL '(uid=mgarcia)'

dn: uid=mgarcia,ou=TI,o=TheSource,c=BRobjectClass: inetOrgPersonuid: mgarciacn: Marcio Garciasn: Garcia Marcenarimobile: 7724-8637

• Identificadores


PABX: 2171-430017 de 23

* Todos, incluindo usuários anônimos e autenticadosanonymous Usuários anônimosusers Usuários autenticadosself Pelo próprio usuáriodn.regex=<regex> Usuários de acordo com a expressão regulardn.subtree De um determinado ponto para baixodn.base Especificando um “dn”. Pode ser qualquer usuário

• Níveis de acesso

none Sem acessoauth =x Apenas autenticaçãocompare =cx Capacidade para realizar comparaçõessearch =scx Pode aplicar filtros de buscasread =rscx Pode ler resultados de buscaswrite =wrscx Pode modificar e renomear entradas

TLS / SSL - Criptografia

• Configurar e descomentar a opção “unique_subject = no” no arquivo de configuraçao “/etc/ssl/openssl.cnf”

# vi /etc/ssl/openssl.cnf

...

...

...unique_subject = no.........

• Criando o certificado

# cd /tmp# mkdir certs# cd certs# /etc/ssl/misc/CA.sh -newca

CA certificate filename (or enter to create)

Making CA certificate ...Generating a 1024 bit RSA private key............................++++++...++++++


PABX: 2171-430018 de 23

writing new private key to './demoCA/private/./cakey.pem'Enter PEM pass phrase:Verifying - Enter PEM pass phrase:-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:BRState or Province Name (full name) [Some-State]:SPLocality Name (eg, city) []:Sao PauloOrganization Name (eg, company) [Internet Widgits Pty Ltd]:The SourceOrganizational Unit Name (eg, section) []:TICommon Name (eg, YOUR name) []:mgarcia.thesource.com.brEmail Address []:[email protected]

• Criando a requisição de certificado e a chave privada para o servidor

# cd /tmp/certs

# openssl req -new -nodes -keyout newreq.pem -out newreq.pem

Generating a 1024 bit RSA private key.........................................++++++.........++++++writing new private key to 'newreq.pem'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [AU]:BRState or Province Name (full name) [Some-State]:SPLocality Name (eg, city) []:Sao PauloOrganization Name (eg, company) [Internet Widgits Pty Ltd]:The SourceOrganizational Unit Name (eg, section) []:TICommon Name (eg, YOUR name) []:mgarcia.thesource.com.brEmail Address []:[email protected]

Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:


PABX: 2171-430019 de 23

• Assinando o certificado

# cd /tmp/certs

# /etc/ssl/misc/CA.sh -sign

Using configuration from /etc/ssl/openssl.cnfEnter pass phrase for ./demoCA/private/cakey.pem:Check that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) Validity Not Before: Jul 13 20:39:26 2006 GMT Not After : Jul 13 20:39:26 2007 GMT Subject: countryName = BR stateOrProvinceName = SP localityName = Sao Paulo organizationName = The Source organizationalUnitName = TI commonName = mgarcia.thesource.com.br emailAddress = [email protected] X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 2D:30:C7:A0:63:20:53:BC:51:89:EA:48:EB:03:FA:04:19:5C:5E:8A X509v3 Authority Key Identifier: keyid:09:0C:CD:9D:D7:F3:48:3B:D2:64:9F:59:6C:7A:D9:C1:B5:48:13:8B DirName:/C=BR/ST=SP/L=Sao Paulo/O=The Source/OU=TI/CN=mgarcia.thesource.com.br/[email protected] serial:90:0F:AD:CB:A3:F5:FD:53

Certificate is to be certified until Jul 13 20:39:26 2007 GMT (365 days)Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base UpdatedCertificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: C=BR, ST=SP, L=Sao Paulo, O=The Source, OU=TI, CN=mgarcia.thesource.com.br/[email protected] Validity


PABX: 2171-430020 de 23

Not Before: Jul 13 20:39:26 2006 GMT Not After : Jul 13 20:39:26 2007 GMT Subject: C=BR, ST=SP, L=Sao Paulo, O=The Source, OU=TI, CN=mgarcia.thesource.com.br/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b5:8d:44:70:43:7f:c7:e2:06:79:cf:5c:e3:fd: f9:ba:8a:7f:29:28:a0:9a:6a:6d:2e:19:07:36:38: a4:fa:b1:5b:eb:86:ec:c3:66:4b:21:e6:24:76:58: 8c:dd:c3:dc:65:5d:d6:69:ee:78:72:bd:4d:ee:eb: 28:18:66:52:40:15:92:63:c7:c6:3c:09:ad:c7:83: 08:2e:41:12:2d:13:04:f2:e4:50:36:a4:cb:f9:5e: d6:68:1a:54:25:52:eb:c6:ae:75:a3:94:db:39:82: f0:e6:fa:d0:7c:65:c6:5a:f7:b2:dd:ad:e2:78:49: 9a:43:04:1f:32:3b:9f:3a:b7 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 2D:30:C7:A0:63:20:53:BC:51:89:EA:48:EB:03:FA:04:19:5C:5E:8A X509v3 Authority Key Identifier: keyid:09:0C:CD:9D:D7:F3:48:3B:D2:64:9F:59:6C:7A:D9:C1:B5:48:13:8B DirName:/C=BR/ST=SP/L=Sao Paulo/O=The Source/OU=TI/CN=mgarcia.thesource.com.br/[email protected] serial:90:0F:AD:CB:A3:F5:FD:53

Signature Algorithm: md5WithRSAEncryption 44:37:da:26:34:0f:1c:5a:04:5d:28:fa:81:45:7e:d2:39:cf: 4a:13:78:3f:4c:9e:16:2a:37:2a:1c:e0:c9:b4:ea:eb:06:c9: 96:24:6a:95:1b:98:40:bc:6d:83:2b:7a:c1:f4:86:ac:e6:97: 9a:45:27:f6:30:39:e7:7e:b6:b4:03:93:ec:15:a3:42:db:ca: 6a:03:56:57:08:eb:66:f1:35:b3:89:f7:f3:c8:8b:6d:8e:9a: 1b:2c:7a:55:3a:54:8a:74:0b:2e:c1:17:86:ab:92:24:fa:67: fb:e3:d9:3d:ba:13:84:f2:8c:e3:48:e1:a6:8c:ca:c8:b5:ec: 33:38-----BEGIN CERTIFICATE-----MIID4jCCA0ugAwIBAgIBATANBgkqhkiG9w0BAQQFADCBnDELMAkGA1UEBhMCQlIxCzAJBgNVBAgTAlNQMRIwEAYDVQQHEwlTYW8gUGF1bG8xEzARBgNVBAoTClRoZSBTb3VyY2UxCzAJBgNVBAsTAlRJMSEwHwYDVQQDExhtZ2FyY2lhLnRoZXNvdXJjZS5jb20uYnIxJzAlBgkqhkiG9w0BCQEWGG1nYXJjaWFAdGhlc291cmNlLmNvbS5icjAeFw0wNjA3MTMyMDM5MjZaFw0wNzA3MTMyMDM5MjZaMIGcMQswCQYDVQQGEwJCUjELMAkGA1UECBMCU1AxEjAQBgNVBAcTCVNhbyBQYXVsbzETMBEGA1UEChMKVGhlIFNvdXJjZTELMAkGA1UECxMCVEkxITAfBgNVBAMTGG1nYXJjaWEudGhlc291cmNlLmNvbS5icjEnMCUGCSqGSIb3DQEJARYYbWdhcmNpYUB0aGVzb3VyY2UuY29tLmJyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC1jURwQ3/H4gZ5z1zj/fm6in8pKKCaam0uGQc2OKT6sVvrhuzDZksh5iR2WIzd


PABX: 2171-430021 de 23

w9xlXdZp7nhyvU3u6ygYZlJAFZJjx8Y8Ca3HgwguQRItEwTy5FA2pMv5XtZoGlQlUuvGrnWjlNs5gvDm+tB8ZcZa97LdreJ4SZpDBB8yO586twIDAQABo4IBMDCCASwwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFC0wx6BjIFO8UYnqSOsD+gQZXF6KMIHRBgNVHSMEgckwgcaAFAkMzZ3X80g70mSfWWx62cG1SBOLoYGipIGfMIGcMQswCQYDVQQGEwJCUjELMAkGA1UECBMCU1AxEjAQBgNVBAcTCVNhbyBQYXVsbzETMBEGA1UEChMKVGhlIFNvdXJjZTELMAkGA1UECxMCVEkxITAfBgNVBAMTGG1nYXJjaWEudGhlc291cmNlLmNvbS5icjEnMCUGCSqGSIb3DQEJARYYbWdhcmNpYUB0aGVzb3VyY2UuY29tLmJyggkAkA+ty6P1/VMwDQYJKoZIhvcNAQEEBQADgYEARDfaJjQPHFoEXSj6gUV+0jnPShN4P0yeFio3KhzgybTq6wbJliRqlRuYQLxtgyt6wfSGrOaXmkUn9jA55362tAOT7BWjQtvKagNWVwjrZvE1s4n388iLbY6aGyx6VTpUinQLLsEXhquSJPpn++PZPboThPKM40jhpozKyLXsMzg=-----END CERTIFICATE-----Signed certificate is in newcert.pem

• Copiando os certificados para o diretório do OpenLDAP

# cd /tmp/certs# mkdir /usr/local/etc/openldap/certs# cp demoCA/cacert.pem /usr/local/etc/openldap/certs/# cp newcert.pem /usr/local/etc/openldap/certs/servercrt.pem# cp newreq.pem /usr/local/etc/openldap/certs/serverkey.pem# chmod 600 /usr/local/etc/openldap/certs/serverkey.pem

• Configurando o servidor OpenLDAP

# cd /usr/local/etc/openldap/

# vi slapd.conf

# TLS / SSL

TLSCACertificateFile /usr/local/etc/openldap/certs/cacert.pemTLSCertificateFile /usr/local/etc/openldap/certs/servercrt.pemTLSCertificateKeyFile /usr/local/etc/openldap/certs/serverkey.pem

• Configurando o cliente LDAP

# cd /usr/local/etc/openldap/

# vi ldap.conf

TLS_CACERT /usr/local/etc/openldap/certs/cacert.pem

• Carregando o OpenLDAP com suporte e TLS / SSL

# killall -9 slapd# /usr/local/libexec/slapd -h 'ldap:/// ldaps:///'


PABX: 2171-430022 de 23

ldap:///

• Consultando a base LDAP utilizando TLS / SSL

# ldapsearch -x -b c=BR -LLL -ZZ

• Parâmetros do ldapsearch

-Z Exibe os erros, mas continua a pesquisa-ZZ Exibe os erros, mas não continua a pesquisa

Obrigado!

Marcio Garcia [email protected]@thesource.com.br


PABX: 2171-430023 de 23



Circuito_OpenLDAP

Documents

Transcript of Circuito_OpenLDAP